Android MasterKey found buried in kiddie cake game on Google Play - report

Two Google Play apps that use the so-called "MasterKey" vulnerability, albeit harmlessly, have been detected, security researchers have announced.

The Android signature vulnerability, which first came to light two weeks ago, affects the vast majority of Android smartphones and tablets, creating a means to load fake files into Android installation packages without changing the signatures.

Apps for Android come as .APKs (Android Packages), which are actually just ZIP archives. Mobile security start-up Bluebox Security discovered it was possible to pack an installation file with files whose name is the same as those already in the archive but whose arbitrary contents might easily contain malicious code.

Android's cryptographic verifier checks the first version of any repeated file in an APK archive, but the installer extracts and deploys the last version.

Google has reportedly begun scanning apps in its Google Play Store for the MasterKey vulnerability. These scans also cover a similar flaw along the same lines that was recently discovered by Chinese security researchers.

Despite this, checks by antivirus firm BitDefender have revealed the presence of a number of apps featuring the vulnerability on the official Google Play store. The doctored apps are harmless and the abuse of the vulnerability is probably accidental, BitDefender security researcher Bogdan Botezatu explains in a blog post (extract below):

Two of the apps, Rose Wedding Cake Game – ‘air.RoseWeddingCakeGame v 1.1.0’ and Pirates Island Mahjong Free ’air.PiratesIslandMahjong v 1.0.1’, have been last updated in mid-May and are increasingly popular with Android users. While the Pirates Island Mahjong Free has been installed by between 5,000 and 10,000 users, Rose Wedding Cake Game has between 10,000 and 50,000 installs.

There is no need to panic right away: the applications contain two duplicate PNG files which are part of the game’s interface. This means that the applications are not running malicious code – they are merely exposing the Android bug to overwrite an image file in the package, most likely by mistake. In contrast, malicious exploitation of this flaw focuses on replacing application code.

One thing that is particularly interesting about today’s discovery is the fact that the two applications exhibiting this behaviour managed to make their way into the Play Store without raising any red flags. However, patched Android distributions such as CyanogenMod will refuse to install the application with the mention that the “Package file was not signed correctly”.

The obvious concern is that if effective screening for the vulnerability is not even taking place on Google's official Play store, then something more potent and nasty might easily appear.

Aside from any screening, recent changes mean that Google Play Store apps are only supposed to update through the official Play update mechanisms. Google banned outside updating mechanisms two-and-a-half months ago, a move that in retrospect looks like a response to Bluebook Security's private notification that it had a problem involving Android app integrity checks back in February.

We understand the applications were reviewed but not removed by Google because they didn't do anything harmful and weren't otherwise in violation of the Android Developer Distribution Agreement.

Almost all Android devices are potentially at risk from the MasterKey flaw, since the vulnerability has existed since Android 1.6 (Donut), but only the Samsung Galaxy S4 has been patched to protect against it.

Bitdefender Mobile Security & Antivirus suite, as well as the Romanian vendor's Antivirus Free for Android, are all being updated to detect and block Android package files that abuse the MasterKey vulnerability, which might be used in attempted to distribute doctored versions of popular apps containing hidden backdoor or other malicious code.

Rival antivirus vendor Webroot has also updated its Android anti-malware software. And more protection is available with the free-of-charge ReKey application from Duo Security and Northeastern University's System Security Lab, which offers a third-party unofficial patch designed to fix the underlying vulnerability rather than detecting and blocking attempts to exploit the security hole. ®